Add cool rbac graphics (#4289)

datacenter/ucp/2.2/guides/access-control/grant-permissions.md

@@ -7,14 +7,14 @@ keywords: ucp, grant, role, permission, authentication, authorization
 If you're a UCP administrator, you can create *grants* to control how users 
 and organizations access swarm resources.
 
+![](../images/ucp-grant-model-0.svg){: .with-border}
+
 A grant is made up of a *subject*, a *role*, and a *resource collection*.
 A grant defines who (subject) has how much access (role) 
 to a set of resources (collection). Each grant is a 1:1:1 mapping of 
 subject, role, collection. For example, you can grant the "Prod Team" 
 "Restricted Control" permissions for the "/Production" collection.
 
-![](../images/ucp-grant-model.png){: .with-border}
-
 The usual workflow for creating grants has four steps.
 
 1.  Set up your users and teams. For example, you might want three teams,
@@ -23,6 +23,8 @@ The usual workflow for creating grants has four steps.
 3.  Optionally, create custom roles for specific permissions to the Docker API.
 4.  Grant role-based access to collections for your teams.
 
+![](../images/ucp-grant-model.svg){: .with-border}
+
 ## Create a grant
 
 When you have your users, collections, and roles set up, you can create

datacenter/ucp/2.2/guides/access-control/index.md

@@ -19,7 +19,7 @@ A grant defines who (subject) has how much access (role)
 to a set of resources (collection).
 [Learn how to grant permissions to users based on roles](grant-permissions.md).
 
-![](../images/ucp-grant-model.png)
+![](../images/ucp-grant-model.svg)
 
 An administrator is a user who can manage grants, subjects, roles, and
 collections. An administrator identifies which operations can be performed

datacenter/ucp/2.2/guides/access-control/manage-access-with-collections.md

@@ -8,6 +8,8 @@ Docker EE enables controlling access to container resources by using
 *collections*. A collection is a group of swarm resources,
 like services, containers, volumes, networks, and secrets.
 
+![](../images/collections-and-resources.svg){: .with-border}
+
 Access to collections goes through a directory structure that arranges a
 swarm's resources. To assign permissions, administrators create grants
 against directory branches.

datacenter/ucp/2.2/guides/access-control/permission-levels.md

@@ -11,6 +11,8 @@ regular users have permissions that range from no access to full control over
 resources like volumes, networks, images, and containers. Users are 
 grouped into teams and organizations.
 
+![Diagram showing UCP permission levels](../images/role-diagram.svg)
+
 Administrators create *grants* to users, teams, and organizations to give
 permissions to swarm resources.  
 
@@ -39,7 +41,7 @@ The system provides the following default roles:
 | `Scheduler`          | The user can view nodes and schedule workloads on them. Worker nodes and manager nodes are affected by `Scheduler` grants. Having `Scheduler` access doesn't allow the user to view workloads on these nodes. They need the appropriate resource permissions, like `Container View`. By default, all users get a grant with the `Scheduler` role against the `/Shared` collection. |
 | `Full Control`       | The user can view and edit volumes, networks, and images, They can create containers without any restriction, but can't see other users' containers. |
 
-![Diagram showing UCP permission levels](../images/permissions-ucp.png)
+![Diagram showing UCP permission levels](../images/permissions-ucp.svg)
 
 Administrators can create a custom role that has Docker API permissions
 that specify the API actions that a subject may perform.